Adobe Hardening Security and Incident Response Practices

This site may earn affiliate commissions from the links on this page. Terms of use.

Adobe has announced a series of measures to improve security throughout the company's products and practices. Growing out of a threat landscape that has brought unwelcome attention to Adobe Reader and Acrobat from malicious actors across the Internet, the company months ago began a 3-pronged approach to improving the safety of their software:

Code HardeningFor years Adobe has had a security process for new development, but they will begin a new process to examine the entire attack surface of Reader and Acrobat. They have been building new tools to do it and using more brute force techniques including static code analysis to improve it. They won't just fix bugs but put in strengthening techniques in code not necessarily thought to be at risk.

Incident ResponseAdobe has taken a beating for their response to some recent vulnerability events and they know they have to improve. Their last vulnerability response showed clear signs of the improvement they're discussing: In 14 days they turned around patches for a wide variety of products and platforms. They also plan to work on getting better information to customers and end users quicker in zero-day situations.

Adobe will adopt a regular schedule for releasing updates, much as Microsoft does. In fact, and not coincidentally, they will release their updates quarterly on the second Tuesday of the month, in other words on Microsoft's Patch Tuesday. The first update will be some time this summer.

Adopting the same patch day as Microsoft's is a deliberate policy adopted with the encouragement of customers and it's easy to see why: Customers are geared up on that day to evaluate vulnerabilities and update software. By joining in on the same day they make things easier for their customers. Many companies have snuck in updates on Patch Tuesday before, including Adobe this month, but Adobe is the first company to do so as a policy. I wouldn't be surprised if this turns into a trend.

These goals are all good news for all of us because it's true that PDF has become one of, if not the top attack target on the Internet. The 3 approaches all will help to reduce the attack surface of that target, If I have any advice for them beyond them it would be to guide development in the future in order to increase opportunities for practical mitigation of known vulnerabilities without having to go to the extreme of disabling JavaScript.